Serving webservers using WAF upon UTM9

Hello,

I am trying to configure UTM9 Webserver Protection feature to manage several domain names, routing to specific web servers in DMZ, through my one and only public IP.


I have 2 DNS entries pointing to the same public IP:
sub1.mydomain.com
sub2.mydomain.com

I have NAT rule on router to forward incoming 443 trafic to the UTM9 WAN interface address.
I have 2 webservers in DMZ (10.129.50.0):
webserver1 on 10.129.50.10
webserver2 on 10.129.50.11

The way it should works : accessing sub1.mydomain.com should redirect trafic to webserver1, accessing sub2.mydomain.com should redirect trafic to webserver2. Well.

I configured each virtual webservers with the correct FQDN (sub1.mydomain.com and sub2.mydomain.com for the other one)
As all 443 traffic is NATed from router to UTM9 WAN interface, an incoming request on port 443 from outside should hit the Webserver Protection, which should match the incoming request (sub1.mydomain.com) to the right virtual webserver which has domain sub1.mydomain.com
right ?


With this configuration:

  • From outside :

https://sub1.mydomain.com --> Thumbsup tone1
https://sub2.mydomain.com --> timeout.

  • From wired LAN network :

https://sub1.mydomain.com --> 403 Forbidden
10.129.50.10 --> Thumbsup tone1

https://sub2.mydomain.com --> Thumbsup tone1
10.129.50.11--> Thumbsup tone1

 Sweat Where is my mistake(s) ?

Do I have to set additionnal NAT rules on UTM9 ? If so, what is the best practice rule ?

Thanks for your help,


Well, here are my progresses :

In virtual webservers, I selected Interface External WAN Adress and type HTTPS+redirect

Now from outside :

sub1.mydomain.com --> Thumbsup tone1
sub2.mydomain.com --> Thumbsup tone1

But from LAN network... :

sub1.mydomain.com --> timeout
sub2.mydomain.com --> timeout

One step forward, one step backward Unamused

WAF log says :

2022:09:14-13:12:03 firewall httpd: id="0299" srcip="127.0.0.1" localip="127.0.0.1" size="108" user="-" host="127.0.0.1" method="GET" statuscode="200" reason="-" extra="-" exceptions="-" time="350" url="/lb-status" server="localhost:4080" port="80" query="" referer="-" cookie="-" set-cookie="-" websocket_scheme="-" websocket_protocol="-" websocket_key="-" websocket_version="-" uid="YyG3Ay_a0LMopbPNsKk31wAAACA"

Is it loopback problem or something similar ? If so, I suppose here is the point to setup NAT rules for LAN users ? Any help appreciated...



debug in progress, new info
[edited by: Syn at 11:58 AM (GMT -7) on 14 Sep 2022]